We were running a trial with SentinelOne with a Client of ours. they already had Webroot and Malwarebytes installed. SentinelOne was the only one to pick up a strand of Malware. Sometimes the easiest root i.e AV is not always the best route

This person is a verified professional.

Windows Defender Antivirus is included in Windows 2016 by default? Free?

Do I have a GUI?

The built-in virus protection should be more than enough. I treat AV on servers as an after-thought, and I've run into quite a few server apps that insist it be disabled, or their files excluded from any kind of real-time scanning. Realistically, any virus shouldn't be able to make it through your two (at least) outer layers of protection at the edge.

This person is a verified professional.

You ought to be able to use the same solutions as the workstations, so long as they are the business versions. Server 2016 is fundamentally not significantly different from Windows 10 and will have Defender built in, though if you still want something more capable, you'll definitely want to make sure the AV product you select is compatible beings we are talking about servers. Sticking with the same product(s) as the workstations will simplify support, whether that means going with essentially the same product you are using on the workstations, or changing those to use a new product you are putting on the servers first is up to you.

Webroot also has an exceptionally good AV/AM product that is minimally invasive and/or intrusive, easy to configure and maintain, and is also exceptionally light on systems. I personally prefer Webroot to every other AV/AM solution I've ever used thus far, and I have experience with a LOT of them over the years.

This person is a verified professional.

I use to agree built in Av was good enough. However, with Ransomeware that is no longer the case. for Ransomeware protection we use Trend Security Services(we also use it on Workstations).

It can be fun to setup, but that is why the Ransomware protection is top notch. It shuts down any kind of activity that encrypts data on the local drive. Though I have never had it trigger it is suppose to shut down shares if it detect encryptions to UNC/Network drive paths. I have not tested, and it never triggers because the workstation version catches it every time.

With Polymorphs like Emotet you can no longer have unprotected/lightly servers,